[Snort-users] Ignorehosts still not working...

Don Don at ...5881...
Thu Dec 19 15:32:05 EST 2002


isn't IGNOREHOSTS a whitespace delimited entry?
shouldnt you try
preprocessor portscan-ignorehosts: 207.108.40.xx/32 207.108.40.xxx/32

> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Christopher
> >Robert Cook
> >Sent: Thursday, December 19, 2002 10:05 AM
> >To: Marc Quibell
> >Cc: snort-users at lists.sourceforge.net
> >Subject: Re: [Snort-users] Ignorehosts still not working...
> >
> >
> >try inputting the DNS servers directly into the ignore hosts field (with
> >the CIDR notation)
> >
> >
> >CC
> >
> >Marc Quibell wrote:
> >
> >>My snort cmd line is:
> >> /usr/local/bin/snort -o -q -i eth1  -c
> >/usr/local/demarc/conf/snorteth1.conf
> >>
> >>My snorteth1.conf is as follows:
> >>var HOME_NET any
> >>var EXTERNAL_NET any
> >>var SMTP $HOME_NET
> >>var HTTP_SERVERS $HOME_NET
> >>var SQL_SERVERS $HOME_NET
> >>#var DNS_SERVERS $HOME_NET
> >>var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
> >>var HTTP_PORTS 80
> >>var ORACLE_PORTS 1521
> >>
> >>preprocessor defrag
> >>preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
> >>preprocessor unidecode: 80
> >>preprocessor rpc_decode: 111
> >>preprocessor bo: -nobrute
> >>preprocessor telnet_decode
> >>preprocessor portscan: $HOME_NET 4 3 portscan.log
> >>preprocessor portscan-ignorehosts: $DNS_SERVERS
> >>preprocessor stream4: detect_scans, disable_evasion_alerts
> >>
> >>output database: log, mysql, user=snort_ike dbname=snortmaster
> >password=ikeacc3s
> >>s host=192.168.45.111 sensor_name=ike.fbfs.com
> >>
> >>
> >>#BEGIN RULES:
> >>
> >>I cannot get it to ignore those two hosts. Suggestions?
> >>
> >>THanks.
> >>
> >>Marc
> >>
> >>
> >>
> >>
> >>-------------------------------------------------------
> >>This SF.NET email is sponsored by: Geek Gift Procrastinating?
> >>Get the perfect geek gift now!  Before the Holidays pass you by.
> >>T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
> >>_______________________________________________
> >>Snort-users mailing list
> >>Snort-users at lists.sourceforge.net
> >>Go to this URL to change user options or unsubscribe:
> >>https://lists.sourceforge.net/lists/listinfo/snort-users
> >>Snort-users list archive:
> >>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >
> >
> >
> >
> >
> >-------------------------------------------------------
> >This SF.NET email is sponsored by: Geek Gift Procrastinating?
> >Get the perfect geek gift now!  Before the Holidays pass you by.
> >T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >





More information about the Snort-users mailing list